CN1429360A - Cryptographic method and device - Google Patents
Cryptographic method and device Download PDFInfo
- Publication number
- CN1429360A CN1429360A CN01809690.5A CN01809690A CN1429360A CN 1429360 A CN1429360 A CN 1429360A CN 01809690 A CN01809690 A CN 01809690A CN 1429360 A CN1429360 A CN 1429360A
- Authority
- CN
- China
- Prior art keywords
- mod
- opt
- kgv
- mould
- exponentiation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000007689 inspection Methods 0.000 claims description 7
- 238000012512 characterization method Methods 0.000 claims description 3
- 238000007634 remodeling Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 241001274660 Modulus Species 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003292 diminished effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7271—Fault verification, e.g. comparing two values which should be the same, unless a computational fault occurred
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Complex Calculations (AREA)
- Error Detection And Correction (AREA)
- Mobile Radio Communication Systems (AREA)
- Bidet-Like Cleaning Device And Other Flush Toilet Accessories (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention relates to a cryptographic method comprising at least one arithmetic step which contains a modular exponentiation E, according to the equation E=x<d>(mod p.q), comprising a first prime factor p, a second prime factor q, an exponent d and a number x. According to said method, the modular exponentiation E is calculated according to the Chinese Remainder Theorem.
Description
Technical field
The present invention relates to a kind of method of encrypting and device.
Background technology
Because the ever-increasing importance of ecommerce, to encrypt and the encryption method of feature scheme (signaturescheme) form becomes widely popular.These methods realize by means of electronic installation that generally described electronic installation can comprise for example programmable universal microcontroller, or special-purpose electronic circuit, for example electronic circuit of ASIC form.A kind of interested especially encrypted form of encryption device is a smart card, because if design properly technically, it can protect key data to prevent the visit that is not allowed to.Make great efforts to be devoted to improve the execution speed of encryption method always, and protect them to exempt from various possible attack options.The present invention is particularly useful for being used in combination with smart card, but is not limited to this.The present invention can implement with various encryption devices combinations.
In many known encryption methods, need carry out the exponentiation (modularexponentiation) of mould according to following formula:
E=x
d(mod?N)=x
d(mod?p.q) (1)
Wherein p and q are prime number (prime number).A kind of encryption method of particular importance of the exponentiation step that comprises mould is the RSA method, this method for example can be by Alfred J.MeneZes, Paul C.vanOorschot and Scott A.Vanstone, " Handbook of Applide Cryptography " BocaRaton:CRC Press, 1997, pages 285-291 learns.But, the use of the exponentiation of mould is not limited to the RSA method, also comprises for example from Menezes et al., ibid., the Rabin feature that pages 438-442 learns, and from Menezes et al.ibid., the Fiat-Shamir identifying schemes that pages 408-410 learns.
The difficulty that the number N factors is resolved into its prime number factor (prime factor) p and q by formula (1) is often depended in the security of encryption method that comprises the exponentiation of mould.This problem has only big value N is just had enough complicacy, therefore, on the one hand, should select big as far as possible several N.On the other hand, do to increase monotonously by means of the calculating two of calculating described value according to the exponentiation of the mould of formula (1), therefore, it seems from the viewpoint of practical application along with the increase of the quantity of N, although N gets big value, wish being limited in acceptable value required computing time simultaneously.
Known be called as in order to use " Chinese remainder theorem " comes 4 times to improve computing velocity, and this theorem for example makes can have bigger value N in the computing time that equates.Directly replace formula (1), carry out conversion according to following formula:
E=x
d(mod?p.q)=aE
1+bE
2(mod?N) (2)
Wherein
E
1=x
d(mod?p) (3)
E
2=x
d(mod?q) (4)
A result who uses Chinese remainder theorem is, the exponentiation of described mould is no longer calculated mould N, promptly the number that no longer decomposes with this factor of hiding the prime number of himself to mould (modulo) calculates, but in this computation rule, presuppose first step calculating mould p and second step calculating mould q continuously, the i.e. understanding n=p.q that prime factor is decomposed, so that keep secret, and cause total computation process is resolved into first calculation procedure (3), it relates generally to the first prime number factor, with second calculation procedure (4), it relates generally to the second prime number factor.Its advantage is, must be defined in index d in the formula (1) to mould φ (p.q), and must be only mould φ (p) or φ (q) be defined in index in the formula (2), and wherein φ represents Euler's function.
Interestedly be, a kind of attack (attack) scheme to the encryption method of the exponentiation of this use mould has become known recently, by described scheme, as long as concrete execution utilization is arrived the Chinese remainder theorem shown in (4) according to formula (2), by means of the suitable manual command in the undisturbed sequence of calculation, the information of decomposing about the prime factor factor of N can be recovered from the defective result of the exponentiation of the mould upset.Attempting of this being called as " Belleek ware attack " for example at Dan Boneh, RichardA.DeMillo and Richard J.Lipton: " On the importance of checkingcryptographic protocols for faults; " Advances inCryptology-EUROCRYPT, 97, Lecture Notes in Cpmputer Science1233, Berlin:Springer has described in 1997.A kind of encryption device is handled by physics instruction, for example increases clock speed, operating voltage or irradiation, makes when carrying out the exponentiation of mould according to Chinese remainder theorem with certain it is not too big probability generation miscount.If only miscount takes place among two in formula (2), then two prime number factor p and q can be by the exponentiation reconstruct as a result of mistake.
The result who is drawn by the described weakness of utilizing the exponentiation of the mould that Chinese remainder theorem carries out is, before it is further processed, especially before for example exporting, at first check calculating operation result's correctness with the form of feature (signature) with certain form.
Being worth little countermeasure for " Belleek ware attack " a kind of is to realize this correctness inspection by means of at least once repeating described calculating operation.Under the situation of stochastic calculation mistake, can suppose that the result of first calculating operation departs from the result who checks calculating operation.The major defect of this method is, calculates by once checking, be doubled computing time.
File WO-A-98/52319 has disclosed a kind of method particularly, and " Belleek ware is attacked to be used to protect the calculating operation of the exponentiation of the mould of carrying out according to Chinese remainder theorem to prevent.For example from [0,2
k-1] selects the integer j of a secret in the scope, wherein 16≤k≤32.Calculate following formula then:
v
1=x(mod?j.q) (5)
V
2=x(mod?j.q) (6)
d
1=d(mod(j.p)) (7)
d
2=d(mod(j.p)) (8)
w
1=V
1 d1(mod?j.q) (9)
w
2=v
1 d2(mod?j.q) (10)
Check whether its maintenance then:
w
1=w
2(mod?j) (11)
If formula (11) can be proved, then calculate following formula with known method:
y
1=w
1(mod?p) (12)
y
2=w
2(mod?q) (13)
Just can determine by means of Chinese remainder theorem thus
E=x
d(mod?N) (14)
This known method is that with the simple advantage of checking that calculating operation is compared be greatly diminished required additional computing time.
In this method, two prime number p and q must multiply by same factor d.File WO-A1-98/52319 has disclosed second method, and it allows prime number p to multiply by different factor r and s with q.But, calculate for checking, two other exponentiations are possible.
Summary of the invention
Problem of the present invention is to provide a kind of encryption method and device, and described method and apparatus is saved calculating operation or computing time, keeps simultaneously or the increase security.
This problem has solved by having according to a kind of encryption method of claim 1 or 2 described features and by a kind of encryption device with claim 13 or 14 described features.
Dependent claims 3 to 12 and 15 to 24 some favourable development of expression.
Embodiment
As mentioned above, if the modulus in the exponentiation of mould has many preposition (leading) scale-of-two moduluses, making different factor r and s represent certain advantage wherein, is favourable for some arithmetic and logic unit then.In addition, have the arithmetic and logic unit that some are optimized for the exponentiation of mould, but cause considerable overhead to the data transfer of the arithmetic and logic unit of the optimization that only is useful on exponentiation from CPU (central processing unit).The present invention compares with the above-mentioned method of utilizing different factor r and s, has saved exponentiation one time.
According to the present invention, for example from scope [0,2
k-1] select 2 integer r and s in the scope, wherein 16≤k≤32 make that (kgV (r, s)) relatively is a prime number to d, and wherein (r s) is the lowest common multiple of r and s to kgV, and s and φ () are Euler's functions for φ.At this moment, calculate following formula:
x
1=x(mod?p.r) (15)
x
2=x(mod?q.s) (16)
d_1=d(mod(p.r)) (15)
d_2=d(mod(q.s)) (16)
z
1=x
1 d_1(mod?p.r) (15)
z
2=x
2 d_2(mod?q.s) (16)
Now, keep z
1=x
1 d(mod p.r), z
2=x
2 d(mod q.s).According to Chinese remainder theorem, utilize following formula easily to calculate a number z by z1 and z2:
z=z
1(mod?p.r);z=z
2(mod?q.s);z=x
d(mod?p.q.kgV(r.s)) (17)
According to the present invention, number r and s must select like this, make that (kgV (r, s)) relatively is a prime number to d for φ.In these cases, can use the euler algorithm of expansion, thereby utilize following formula easily to obtain a natural number e:
e.d=1(mod(kgV(r.s)) (18)
By means of Z and e, calculate number C according to following formula:
C=z
e(mod?kgV(r.s)) (19)
According to theorem of Euler, have:
C=z
d.e=x(mod?kgV(r.s)) (20)
(r s), can determine mistake with high probability by comparing two value C and x mould kg.If determine C x (mod kgV (r.s)), just then the result of the exponentiation of mould be considered to mistake and be dropped.
In RSA method (as in Lapie's feature scheme), carry out the exponentiation of mould, so that produce numerical characteristic or be decrypted, make mould p.q and index d only depend on private key with this.Consequently, number d, e, r and s can be calculated once when described private key integration, and are stored, for using again.
In remodeling of the present invention, for example [0,2
k-1] selects 2 integer r and s, wherein 16≤k≤32 in the scope.Under the situation of binary arithmetic and logic unit, suggestion number r and s are odd numbers.In addition, at the interval [1 ..., r-1] and [1 ..., s-1] two fixing several b1 and b2 of interior selection, it does not rely on x, and is prime number with respect to r and s respectively.If r and s relatively are not prime numbers, then b1 and b2 must satisfy additional condition b1=b2 (mod ggT (r, s)), wherein (r s) represents the highest common factor of r and s to ggT.
According to Chinese remainder theorem, at first utilize following formula to calculate number x1:
X
1=x(mod?p).x
1=b
1(mod?r) (21)
Calculate x2 according to following formula equally:
X
2=x(mod?q).x
2=b
2(mod?s) (22)
Then, calculate following formula:
d_1=d(mod(p)) (23)
d_2=d(mod(q)) (24)
z
1=x
1 d_1mod(p.r) (25)
z
1=x
1 d_1mod(q.s) (26)
C
1=b
2 d_1(mod.r) (27)
C
2=b
2 d_2(mod.s) (28)
In order to save computing time, carrying out respectively with φ (r) and φ (s) before the exponentiation to mould, can reduction-type (27) and (28) in index d_1 and d_2.
Have from formula (23) and (25):
z
1=x
d(mod?p) (29)
Have from (24) and (26):
z
2=x
d(mod?q) (30)
According to Chinese remainder theorem, can easily calculate number z by z1 and z2:
z=z
1(mod?p.r);z=z
2(mod?q.s); (31)
Even r and s relatively are not prime numbers, described several z also exist, and this is because z
1=C
1=b
1 D_1=b
2 D_2=C
2=z
2(mod ggAT (r, s)).Because p and q relatively are prime numbers, have by formula (29), (30) and (31):
z=x
d(mod?p.q) (32)
Therefore, can easily determine several z of being asked by the value of aforementioned calculation.
Have by formula (21), (25) and (27):
z
1=C
1(mod?r) (33)
Have by formula (22), (26) and (28):
z
2=C
2(mod?s) (34)
By inspection condition (33) and (34), can determine mistake with high probability.If in condition (33) or (34) is destroyed, then the result of the exponentiation of mould is considered to mistake, thereby is dropped.
According to the described method of the claim 8 of file WO-A1-98/52319, number b1 and b2 do not rely on the truth of a matter x in the remodeling of wherein said method.When using RSA method or Lapie's characterization method, private key generally is concentrated in the encryption device for example in the smart card that once was used several times.In the exponentiation of the mould of using in these methods, index d and modulus p.q are the fixed elements of private key.Thereby, must only calculate once when value C1 and C2 carry out the key integration in encryption device, and can be stored in the described device then.Compare with the described method of file WO-A1-98/52319, store the feasible exponentiation operator of saving two apotypes of these values.
In common embodiment, a kind of encryption device with additional hardware of the algorithm that is used to accelerate mould, smart card for example, contain addition and multiplication unit fast, the method of simultaneously common standard must be carried out the division by a long number required in the reduction of mould, for example by Donald Knuth: " The Art of Computer Programming, " Volume 2:SeminumericalAlgorithms, 2
NdEd., Addison-Wesley, 1981 learn.One of some known method that is used to simplify divide operations is to take advantage of modulus p by number r before exponentiation, makes the binary representation of product p.r comprise number as much as possible, for example sees Menezes et al., ibid., pages 598-599.Remove than removing much simple by a how leading as far as possible number by general number.
According to the present invention, select multiplier r, make that d relatively is a prime number for φ (r).In above-mentioned remodeling of the present invention, do not need this relative prime number.For each modulus p, has the multiplier r of the best that a particular technology that depends on division realizes
OptIf the value of the selection of r is slightly less than the value of optimization, then product p.r still contains enough leading number, thereby makes division to carry out simply.By high probability, number d is worth φ (r at least one
Opt-i) relatively be prime number, I=1 wherein ..., k, wherein k is a little number that depends on enforcement.
If not this situation, then make r by 2
i.r replace wherein 2
IAccording to implementing is one 2 suitable power.
Thereby, can use same replacement for second prime number factor q.Because can select multiplier r (for p), and s (for q) is independently of one another, can select equally accordingly for multiplier s.
Claims (24)
1. method of encrypting,
A) has at least one calculation procedure E=x of the exponentiation E that comprises mould
d(mod p.q) wherein has the first prime number factor p, the second prime number factor q, and index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, select two natural number r and s, condition is, d for φ (kgV (r, s)) relatively is a prime number, and carries out following calculation procedure with this:
x
1=x(mod?p.r)
x
2=x(mod?q.s)
d_1=d(modφ(p.r))
d_2=d(modφ(q.s))
z
1=x
1 d_1(mod?p.r)
z
2=x
2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
C) calculate number z:z=z according to Chinese remainder theorem by z1 and z2 then
1(mod p.r); Z=z
2(mod q.s);
D) by reduction Z mould p.q, calculate the E as a result of exponentiation,
E) check several z of the previous calculating of inspection in the step thereby the miscount of check result E at one,
F) described inspection step comprises following calculating operation:
F1) by means of the euler algorithm of expansion, calculate the possible natural number e of minimum with characteristic e.d=1,
F2) calculated value C=z
e(mod kgV (r.s)),
F3) fiducial value x and C mould kgV (r, s), if with this x ≠ C (mod (kgV (r, s)), the then result of the exponentiation E of mould being dropped as mistake.
2. encryption method
A) has at least one calculation procedure E=x of the exponentiation E that comprises mould
d(mod p.q) wherein has the first prime number factor p, the second prime number factor q, and index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, at interval [1 ..., r-1] and [1 ..., s-1] in select two natural number r and s respectively, and two number b1 and b2, described b
1And b
2For r and s relatively is prime number, and makes b1 and the b2 b that satisfies condition with this
1=b
2(mod ggT (and r, s), wherein ggT (r s) represents the highest common factor of r and s,
C) utilize two number b1 and b2 to calculate the x that satisfies following formula according to Chinese remainder theorem
1, x
2:
x
1=x(mod?p),x
1=b
1(mod?r)
x
2=x(mod?q),x
2=b
2(mod?s)
And carry out following calculation procedure:
d_1=d(modφ(p))
d_2=d(modφ(q))
z
1=x
1 d_1(mod?p.r)
z
2=x
2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
D) then according to Chinese remainder theorem by z
1And z
2Calculate number z:z=z
1(mod p.r); Z=z
2(modq.s);
E) by reduction z mould p.q, calculate the E as a result of exponentiation,
F) check the miscount of checking the previous several z that calculate (thereby automatically also be E) as a result in the step at one,
G) described inspection step comprises following calculating operation:
G1) calculate number
C
1=b
1 d_1(mod.r)
C
2=b
1 d_2(mod.s)
D_1 wherein, d_2 are reduced respectively before the exponentiation to mould with φ (r) and φ (s) carrying out,
G2) compare z
1And C
1Mould r and z
2And C
2Mould s is if keep C with this
1≠ z
1Mod r, perhaps C
2≠ z
2Mod s, the then result of the exponentiation E of mould being dropped as mistake.
3. encryption method as claimed in claim 2 is characterized in that, described several r and s are odd numbers.
4. as any one the described encryption method among the claim 1-3, it is characterized in that several r wherein and s are [0,2
k-1] selects in the scope, wherein 16≤k≤32.
5. as any one the described encryption method among the claim 1-4, it is characterized in that at least one the such selection among wherein said several r and the s makes the binary representation of product p.r or q.s contain preposition number as much as possible (leading ones).
6. as any one the described encryption method among the claim 1-5, it is characterized in that wherein said two number r and s select like this, make the binary representation of product p.r or q.s contain preposition number as much as possible.
7. as the described encryption method in one of claim 5 and 6, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects corresponding optimum number r respectively at least one of counting among r and the s for φ not to be subjected to d at first
OptAnd s
Opt, and
B) second step by step in, select adjacent value r=r
Opt-i and s=s
Opt-i, i=0,1 ..., k makes that (kgV (r, s)) relatively is a prime number to d for φ.
8. as the described encryption method in one of claim 5 and 6, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, selects corresponding optimum number r respectively for each of counting among r and the s for φ not to be subjected to d at first
OptAnd s
Opt, and
B) second step by step in, selective value r=2
1, r
OptS=2
1s
Opt, 1=0,1 ..., j makes that (kgV (r, s)) relatively is a prime number to d for φ.
9. as the described encryption method in one of claim 5 and 6, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects number r for φ not to be subjected to d at first
OptAnd s
OptIn at least one,
Second step by step in, select adjacent value r=r
Opt-i and s=s
Opt-i, i=0,1 ..., k, if make for i=0,1 ..., this value of k exists, then d for φ (kgV (r, s)) relatively is a prime number, and
C) the 3rd step by step, selective value r=2 like this
1r
Opt, s=2
1s
Opt, 1=0,1 ..., j, if make second step by step in non-selected described value, then (kgV (r, s)) relatively is a prime number to d for φ.
10. as the described encryption method of above-mentioned any one claim, it is characterized in that it comprises the RSA method.
11., it is characterized in that it comprises Lapie's characterization method as the described encryption method of above-mentioned any one claim.
12., it is characterized in that it comprises the Fiat-Shamir recognition methods as the described encryption method of above-mentioned any one claim.
13. an encryption device,
A) have at least one exponentiation device, be used to carry out a calculation procedure that comprises the exponentiation E of mould,
E=x
d(mod?p.q)
Wherein have the first prime number factor p, the second prime number factor q, index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, select two natural number r and s, condition is, d for φ (kgV (r, s)) relatively is a prime number, and carries out following calculation procedure with this:
x
1=x(mod?p.r)
x
2=x(mod?q.s)
d_1=d(modφ(p.r))
d_2=d(modφ(q.s))
z
1=x
1 d_1(mod?p.r)
z
2=x
2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
C) calculate number z:z=z according to Chinese remainder theorem by z1 and z2 then
1(mod p.r); Z=z
2(mod q.s);
D) by reduction z mould p.q, calculate the E as a result of exponentiation,
E) check the miscount of checking the previous several z that calculate (thereby also automatically be E) as a result in the step at one,
F) described inspection step comprises following calculating operation:
F1) by means of the euler algorithm of expansion, calculate the possible natural number e of minimum with characteristic e.d=1 (mod kgV (r.s)),
F2) calculated value C=z
e(mod kgV (r.s)),
F3) fiducial value x and C mould kgV (r, s), if with this x ≠ C (mod (kgV (r, s)), the then result of the exponentiation E of mould being dropped as mistake.
14. encryption device
A) have at least one exponentiation device, be used to carry out at least one calculation procedure E=x of the exponentiation E that comprises mould
d(mod p.q) wherein has the first prime number factor p, the second prime number factor q, and index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, at interval [1 ..., r-1] and [1 ..., s-1] in select two natural number r and s respectively, and two number b
1And b
2, described b
1And b
2For r and s relatively is prime number, and makes b with this
1And b
2B satisfies condition
1=b
2(mod ggT (and r, s), wherein ggT (r s) represents the highest common factor of r and s,
C) utilize two number b
1And b
2Calculate the x that satisfies following formula according to Chinese remainder theorem
1, x
2:
x
1=x(mod?p), x
1=b1(mod?r)
x
2=x(mod?q), x
2=b
2(mod?s)
And carry out following calculation procedure:
d_1=d(modφ(p))
d_2=d(modφ(q))
z
1=x
1 d_1(mod?p.r)
z
2=x
2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
D) then according to Chinese remainder theorem by z
1And z
2Calculate number z:z=z
1(mod p.r); Z=z
2(modq.s);
E) by reduction z mould p.q, calculate the E as a result of exponentiation,
F) check the miscount of checking the previous several z that calculate (thereby automatically also be E) as a result in the step at one,
H) described inspection step comprises following calculating operation:
G1) calculate number
C
1=b
1 d_1(mod.r)
C
2=b
1 d-2(mod.s)
D_1 wherein, d_2 was reduced respectively before carrying out with the exponentiation of φ (r) φ (s) to mould,
G2) fiducial value z
1And C
1Mould r and z
2And C
2Mould s is if keep C ≠ z with this
1Mod r, perhaps C
2≠ z
2Mod s, the then result of the exponentiation E of mould being dropped as mistake.
15. encryption device as claimed in claim 14 is characterized in that, described several r and s are odd numbers.
16. any one the described encryption device as among the claim 13-15 is characterized in that several r wherein and s are [0,2
k-1] selects in the scope, wherein 16≤k≤32.
17. any one the described encryption device as among the claim 13-16 is characterized in that, at least one the such selection among wherein said several r and the s makes the binary representation of product p.r or q.s contain preposition number as much as possible.
18. any one the described encryption device as among the claim 13-17 is characterized in that, wherein said two number r and s select like this, make the binary representation of product p.r or q.s contain preposition number as much as possible.
19. as the described encryption device in one of claim 17 and 18, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects corresponding optimum number r respectively at least one of counting among r and the s for φ not to be subjected to d at first
OptAnd s
Opt, and
B) second step by step in, select adjacent value r=r
Opt-i and s=s
Opt-i, i=0,1 ..., k makes that (kgV (r, s)) relatively is a prime number to d for φ.
20. as the described encryption device in one of claim 17 and 18, it is characterized in that,
A) step by step, select corresponding optimum number r respectively for each of counting among r and the s at first
OptAnd s
Opt, be not subjected to d for φ (kgV (r, s)) relatively is the restriction of this condition of prime number, and
B) second step by step in, selective value r=2
1r
OptS=2
1s
Opt, 1=0,1 ..., j makes that (kgV (r, s)) relatively is a prime number to d for φ.
21. as the described encryption device in one of claim 17 and 18, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects number r for φ not to be subjected to d at first
OptAnd s
OptIn at least one,
B) second step by step in, select adjacent value r=r
Opt-i and s=s
Opt-i, i=0,1 ..., k, if make for I=0,1 ..., this value of k exists, then d for φ (kgV (r, s)) relatively is a prime number, and
C) the 3rd step by step, selective value r=2 like this
1r
Opt, s=2
1s
Opt, 1=0,1 ..., j, if make second step by step in non-selected described value, then (kgV (r, s)) relatively is a prime number to d for φ.
22., it is characterized in that it comprises the RSA method as the described encryption device of above-mentioned any one claim.
23., it is characterized in that it comprises Lapie's characterization method as the described encryption device of above-mentioned any one claim.
24., it is characterized in that it comprises the Fiat-Shamir recognition methods as the described encryption device of above-mentioned any one claim.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10024325A DE10024325B4 (en) | 2000-05-17 | 2000-05-17 | Cryptographic method and cryptographic device |
DE10024325.8 | 2000-05-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN1429360A true CN1429360A (en) | 2003-07-09 |
Family
ID=7642491
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN01809690.5A Pending CN1429360A (en) | 2000-05-17 | 2001-05-15 | Cryptographic method and device |
Country Status (12)
Country | Link |
---|---|
US (1) | US7227947B2 (en) |
EP (1) | EP1290545B1 (en) |
JP (1) | JP4977300B2 (en) |
CN (1) | CN1429360A (en) |
AT (1) | ATE309569T1 (en) |
AU (2) | AU6596701A (en) |
BR (1) | BR0110923A (en) |
CA (1) | CA2409200C (en) |
DE (2) | DE10024325B4 (en) |
MX (1) | MXPA02011222A (en) |
RU (1) | RU2276465C2 (en) |
WO (1) | WO2001088693A2 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100555213C (en) * | 2003-10-14 | 2009-10-28 | 松下电器产业株式会社 | Data converter |
CN1883155B (en) * | 2003-11-18 | 2010-12-22 | 爱特梅尔卢梭公司 | Randomized modular reduction method and hardware therefor |
CN104025018A (en) * | 2011-10-28 | 2014-09-03 | 德国捷德有限公司 | Efficient Prime-Number Check |
CN104123431A (en) * | 2013-04-24 | 2014-10-29 | 国民技术股份有限公司 | Element modular inversion calculation method and device |
CN105892991A (en) * | 2015-02-18 | 2016-08-24 | 恩智浦有限公司 | Modular multiplication using look-up tables |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10162584A1 (en) * | 2001-10-17 | 2003-05-08 | Infineon Technologies Ag | Method for validating an exponentiation result with the Chinese remainder theorem forms extra modules with two primary numbers for calculating extra values to work out a modular exponentiation to match the product of the values. |
DE50204119D1 (en) | 2001-10-17 | 2005-10-06 | Infineon Technologies Ag | METHOD AND DEVICE FOR OBTAINING A CALCULATION IN A CRYPTOGRAPHIC ALGORITHM |
WO2003034268A2 (en) | 2001-10-17 | 2003-04-24 | Infineon Technologies Ag | Method and device for securing an exponentiation calculation by means of the chinese remainder theorem (crt) |
EP1540880B1 (en) * | 2002-09-11 | 2006-03-08 | Giesecke & Devrient GmbH | Protected cryptographic calculation |
US7840806B2 (en) * | 2002-10-16 | 2010-11-23 | Enterprise Information Management, Inc. | System and method of non-centralized zero knowledge authentication for a computer network |
US8239917B2 (en) * | 2002-10-16 | 2012-08-07 | Enterprise Information Management, Inc. | Systems and methods for enterprise security with collaborative peer to peer architecture |
US7597250B2 (en) | 2003-11-17 | 2009-10-06 | Dpd Patent Trust Ltd. | RFID reader with multiple interfaces |
US7762470B2 (en) | 2003-11-17 | 2010-07-27 | Dpd Patent Trust Ltd. | RFID token with multiple interface controller |
US7213766B2 (en) | 2003-11-17 | 2007-05-08 | Dpd Patent Trust Ltd | Multi-interface compact personal token apparatus and methods of use |
JP5291637B2 (en) * | 2007-02-27 | 2013-09-18 | トムソン ライセンシング | Method and apparatus for generating a compressed RSA modulus |
EP2697786B1 (en) * | 2011-04-13 | 2017-10-04 | Nokia Technologies Oy | Method and apparatus for identity based ticketing |
CA2970153C (en) | 2014-12-10 | 2023-06-06 | Kyndi, Inc. | Apparatus and method for combinatorial hypermap based data representations and operations |
US11005654B2 (en) | 2019-05-14 | 2021-05-11 | Google Llc | Outsourcing exponentiation in a private group |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2737369A1 (en) * | 1995-07-26 | 1997-01-31 | Trt Telecom Radio Electr | SYSTEM FOR COMMUNICATING ENCRYPTED MESSAGES ACCORDING TO A METHOD OF R.S.A. |
GB2318892B (en) * | 1996-10-31 | 2001-07-11 | Motorola Ltd | Co-processor for performing modular multiplication |
US5991415A (en) * | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
-
2000
- 2000-05-17 DE DE10024325A patent/DE10024325B4/en not_active Expired - Fee Related
-
2001
- 2001-05-15 CA CA2409200A patent/CA2409200C/en not_active Expired - Lifetime
- 2001-05-15 EP EP01943373A patent/EP1290545B1/en not_active Expired - Lifetime
- 2001-05-15 DE DE50108011T patent/DE50108011D1/en not_active Expired - Lifetime
- 2001-05-15 RU RU2002133218/09A patent/RU2276465C2/en not_active IP Right Cessation
- 2001-05-15 MX MXPA02011222A patent/MXPA02011222A/en active IP Right Grant
- 2001-05-15 US US10/275,947 patent/US7227947B2/en not_active Expired - Fee Related
- 2001-05-15 WO PCT/EP2001/005532 patent/WO2001088693A2/en active IP Right Grant
- 2001-05-15 CN CN01809690.5A patent/CN1429360A/en active Pending
- 2001-05-15 AU AU6596701A patent/AU6596701A/en active Pending
- 2001-05-15 JP JP2001585023A patent/JP4977300B2/en not_active Expired - Lifetime
- 2001-05-15 BR BR0110923-5A patent/BR0110923A/en not_active IP Right Cessation
- 2001-05-15 AT AT01943373T patent/ATE309569T1/en not_active IP Right Cessation
- 2001-05-15 AU AU2001265967A patent/AU2001265967B2/en not_active Expired
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100555213C (en) * | 2003-10-14 | 2009-10-28 | 松下电器产业株式会社 | Data converter |
CN1883155B (en) * | 2003-11-18 | 2010-12-22 | 爱特梅尔卢梭公司 | Randomized modular reduction method and hardware therefor |
CN104025018A (en) * | 2011-10-28 | 2014-09-03 | 德国捷德有限公司 | Efficient Prime-Number Check |
CN104025018B (en) * | 2011-10-28 | 2017-12-01 | 捷德移动安全有限责任公司 | Effectively examine prime number |
CN104123431A (en) * | 2013-04-24 | 2014-10-29 | 国民技术股份有限公司 | Element modular inversion calculation method and device |
CN104123431B (en) * | 2013-04-24 | 2018-09-14 | 国民技术股份有限公司 | A kind of mould of element is against computational methods and device |
CN105892991A (en) * | 2015-02-18 | 2016-08-24 | 恩智浦有限公司 | Modular multiplication using look-up tables |
Also Published As
Publication number | Publication date |
---|---|
WO2001088693A2 (en) | 2001-11-22 |
JP4977300B2 (en) | 2012-07-18 |
JP2003533752A (en) | 2003-11-11 |
DE10024325A1 (en) | 2001-12-06 |
MXPA02011222A (en) | 2003-06-06 |
BR0110923A (en) | 2003-03-11 |
AU2001265967B2 (en) | 2005-11-24 |
ATE309569T1 (en) | 2005-11-15 |
EP1290545A2 (en) | 2003-03-12 |
US20040028221A1 (en) | 2004-02-12 |
CA2409200A1 (en) | 2002-11-18 |
AU6596701A (en) | 2001-11-26 |
EP1290545B1 (en) | 2005-11-09 |
WO2001088693A3 (en) | 2002-02-28 |
DE50108011D1 (en) | 2005-12-15 |
US7227947B2 (en) | 2007-06-05 |
DE10024325B4 (en) | 2005-12-15 |
CA2409200C (en) | 2010-02-09 |
RU2276465C2 (en) | 2006-05-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1429360A (en) | Cryptographic method and device | |
US9942039B1 (en) | Applying modular reductions in cryptographic protocols | |
Overbeck | A new structural attack for GPT and variants | |
CN1425231A (en) | Cryptography method on elliptic curves | |
CN1648967A (en) | Cryptographic apparatus, cryptographic method, and storage medium thereof | |
Aciiçmez et al. | Improving Brumley and Boneh timing attack on unprotected SSL implementations | |
CN1218531C (en) | Countermeasure method in electric componnet implementing elliptical curve type public key cryptography algorithm | |
CN1554047A (en) | Device and method for calculating the result of a modular exponentiation | |
Abdeldaym et al. | Modified RSA algorithm using two public key and Chinese remainder theorem | |
Li et al. | Design and implementation of an improved RSA algorithm | |
CN1592190A (en) | Hardware cryptographic engine and encryption method | |
CN1348646A (en) | Method and device for effective key length control | |
CN111385092B (en) | Cipher device using information blinding and its cipher processing method | |
CN1314223C (en) | Cryptography private key storage and recovery method and apparatus | |
CN1483260A (en) | Method and device for detecting a key pair and for generating rsa keys | |
CN1411644A (en) | Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm | |
CN1630999A (en) | Method for countermeasure in an electronic component using a secret key algorithm | |
CN1833220A (en) | Methods and apparatus for extracting integer remainders | |
CN111368317B (en) | Computer data encryption system and method | |
CN1568457A (en) | Secure method for performing a modular exponentiation operation | |
CN1270472C (en) | Device and method for generating electronic keys from mutual prime numbers | |
Heiman | A note on discrete logarithms with special structure | |
WO2007129197A1 (en) | Cryptographic apparatus and process | |
CN1392472A (en) | Montgomery analog multiplication algorithm for VLSI and VLSI structure of intelligenjt card analog multiplier | |
CN1397035A (en) | Modular exponential algorithm in electronic component using public key encryption algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |